Essential Elements of GDPR, APPI, and CCPA
Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, Japanese companies that handle personal information have started to reconsider their business models in obtaining and processing personal information. Before the introduction of GDPR, Japanese companies that offer goods and services to their customers located in the European Union (EU) were abided by only the Japanese Act on Protection of Personal Information (APPI). The implication of GDPR to Japanese companies stemmed from how the GDPR is designed, GDPR does not only apply to entities operating within the EU but also to entities outside the EU that offer goods or services to customers or companies in the EU.
However, as of 1st January 2020, there is another law that Japanese companies should take into account when obtaining and processing personal information, which is the California Consumer Privacy Act (CCPA). Unlike the GDPR, the CCPA is a state law, however, the implication of CCPA goes beyond the state of California. This is because California is a state that has boasted substantial consumer spending power, Japanese companies that intend to expand their business to the United States would have no choice but to observe CCPA when dealing with personal information.
To understand the implication of CCPA and GDPR, the following is the side by side comparison of the essential elements of CCPA and GDPR. For easy reference, the chart also indicates APPI.
|Territorial and Scope||Applies to an entity outside Japan if they acquire personal information of an individual in Japan in connection to the provisions of goods or service, and that personal information or the de-identified information created using that personal information is handled outside of Japan.||Applies to an entity (i) located in the EU and (ii) those outside EU, if it offers free or paid goods or services to EU residents or monitors the behavior of EU residents.||It does not currently require the physical presence of a company in California. It applies to for-profit companies that do "business" in California, regardless if they are California entities or not. The application of the law requires that a business meet one of the three requirements (i) USD25 million in annual revenue, or (ii) data collection of more than 50,000 consumers data; or (iii) derives 50% of annual revenue from sales of consumers data.|
|Definition of Personal Information||Information about a living individual who can be specifically identified by the name, date of birth or other description contained in such information. Personal Information includes information that enables an individual to identify a specific individual with easy reference to other information.||Any information: (a) Relating to an identified or identifiable natural person; (b) An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.||Any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with particular consumer or household”. CCPA defines “consumers” as a California resident. Personal information does not include publicly available information.|
|Lawful bases for processing personal information||When handling personal information, a business operator must specify the purpose of use of personal information to the fullest extent possible. Changes to the purpose of use must not go beyond the reasonable scope of the original purpose of use. Prior consent is required if usage is beyond the scope of the purpose of use. The Purpose of Use must be made known to the data subjects when personal information is collected or promptly thereafter and this can be made by a public announcement (such as posting the purpose on the business operator’s website)||Under the GDPR, processing shall be lawful only if and to the extent that at least one of the followings applies: (i) consent to the processing is obtained; (ii) processing is necessary for the performance of a contract; (iii) processing is necessary for compliance with a legal obligation; (iii) processing is necessary to protect the vital interests of the data subject or another natural person; (iv) processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller; (v) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.||A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with the purpose
However, the law is not applied to business that retains any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
|Lawful bases for cross-border data transfer to a third party||Prior consent is required; however, consent is not necessary if (i) the foreign country is specified by PPC having the same level of protection or (ii) the third party having the same standard of protection as prescribed by PPC||Fulfill the requirement of GDPR (including consent). Consent may not be required if the cross-border data transfer is made to a third country being recognized by the Commission having adequate level protection as GDPR. Besides, the GDPR also allows for cross-border data transfer if binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification are in place||There is no restriction on Cross-border Data transfer|
|Penalty||Fines up to ¥500,000, and also face the possibility of imprisonment of up to one year||Fines of up to €20 million or 4% of their annual worldwide turnover, whichever is higher||Fines no more than $2,500 for each violation, or $7,500 for each intentional violation|
|Right to access information||APPI grants the right to disclosure and the business operator must disclose the retained personal data without delay. However, if one of the following applies, the business operator may choose not to disclose all or part of the retained personal data: (i) if the disclosure is likely to harm the life, body, property, or other rights or interests of the person or a third party; (ii) if the disclosure is likely to seriously interfere with the proper implementation of the business operator handling personal information; (iii) if the disclosure would violate any other law or regulation.||The GDPR grants the right to have access to personal data, including additional information on the processing activities. An individual has the right to receive information in a structured, machine-readable format to facilitate the transfer of information to other entities the consumer wishes to send it to without barriers.||CCPA provides the right to have personal information disclosed, in terms of the categories of information collected concerning the customers and the specific pieces of information held by the business concerning customers. The relevant information must be disclosed in a readily and usable format to facilitate, without barriers, the transfer of information to wherever/whomever the consumer wishes to send it to.
Consumers must also be notified of the business’s purpose for using their personal information as well as which third parties the information will be shared with.
|Right to delete information||A request to discontinue the use or delete the retained personal information must be complied by companies when (i) the collection made by deception or other wrongful means, or (ii) the handling of the personal information goes beyond the scope necessary to achieve the purpose of use without obtaining prior consent.
There is no specific legal provision on the “right to be forgotten” under the law.
|Entity (controller) must comply with requests for the erasure of personal data only in certain scenarios:
(i)the personal data is no longer necessary to fulfill the purpose on why it was collected; (ii) the data subject withdraws consent and their personal data is within a special category of data, while there is no other legal ground for processing; (iii) objection made to the processing is according to direct marketing purposes; (iv) the personal data was processed unlawfully; (v) the personal data is required to be erased to comply with legal obligations to other EU or Member State law; (vi) the collection of the personal data relates to the offer of information society services.
A part of complying with such a request is that the entity must direct any relevant data processors to delete such personal data as well.
|A business must comply with requests for the deletion of personal information. Any deletion request does not only affect the personal information held by the respective business but also requires the respondent to reach out to its service providers and require the same to delete any relevant data covered by such a request.|